Think Halloween is scary? How about a hacker shutting down your pacemaker?
The Chief Information Security Officer of the Year Award Breakfast is always a great opportunity to learn more about what is keeping elite CISOs up at night. The annual event brings together a who’s who of the most talented information security executives from America’s best companies. This year’s program was no exception, and we were honored to be one of the 2016 co-sponsors. We offer our sincerest congratulations to Todd Fitzgerald of Grant Thornton, this year’s CISO of the year award recipient. Todd accepted the award with a speech full of emotion in front of a packed Metropolitan Club of Chicago last week. It was quite a moment and Todd is a worthy recipient.
So, what emerging risks are worrying the most brilliant CISOs in the business? Well, Jason Witty of US Bank, and a former CISO of the Year Award recipient highlighted some of these concerns in his keynote address. Witty should know, as he is considered by many to be one of our industry’s great minds. Predictably, Jason mentioned the explosion of cyber incidents in general, and how the “bad guys” are becoming smarter, more sophisticated, and more emboldened. The availability of inexpensive hacking tools offered for sale on the Dark Web is worrisome, to say the least. No list of emerging data breach trends would be complete without a discussion on Phishing, eMail wire transfer fraud, and, of course, Ransomware, which has grown significantly in recent reporting periods. According to the FBI, over $200 million in ransom was paid in the first three months of 2016. Jason also elaborated on the fact that we are seeing a dramatic surge in attacks that raise fear in the minds of even the most seasoned information security professionals…the dreaded Zero Day incident, in which data exfiltration malware that causes a breach has never been seen before by those professionals trained to spot it. This is unprecedented, and it is creating job security in our industry, to be sure.
The hacking risks mentioned by Witty that I found most interesting and perhaps most troubling are the security exposures related to our growing reliance on the Internet of Things (IoT). IoT security concerns are not new, of course, but those risks are growing fast as these connected devices play increasingly critical roles in our daily lives. No one is particularly worried, for example, about what would happen if a criminal hacked their internet-connected smart fridge….you know, the device that tells you that your milk has spoiled. But would it concern you if hackers had discovered a way to shut down your heart pacemaker, or hack the baby monitor camera in your newborn’s bedroom? Yeah, that’s what I thought.
A scene from a James Bond thriller? No, it’s the real world. MedSec Holdings, Inc., a Miami-based security start-up, has announced that it has discovered a security vulnerability in implanted heart defibrillators manufactured by St. Jude Medical, Inc., that could enable a hacker to access these pacemakers via the internet; potentially causing a life-threatening device failure. These devices are often connected to (and controlled by) mobile phone apps, that, as we know, can be hacked. Adding insult to injury, industry research firm, Muddy Waters, LLC, after learning of the security problem, shorted St. Jude stock just before the public release of the security vulnerability. Ouch. Some analysts believe this report could endanger the long-anticipated acquisition of St. Jude by Abbott Laboratories.
Unfortunately, security is often an afterthought for developers that are racing to market with sexy internet connected toys like crock pots and driverless automobiles (remember last year when hackers disabled a Jeep Grand Cherokee and drove it off the road?). My company, for example, is currently advising a law firm on a wrongful death case that has arisen from the death of a diabetic college student whose implanted glucose-monitoring device appears to have failed. Making matters worse, many of these IoT gadgets do not have the same logging and incident alerting features that digital forensic firms like mine rely on to conduct forensic examinations after a breach occurs. This makes root-cause investigations more difficult, lengthy, and costly.
Make no mistake, the IoT has the ability to enhance and improve our world, but the stakes get higher as these devices play an increasingly more important role in our daily lives, and they certainly will. Even today, relatively crude connected devices are controlling vital hospital monitoring systems, dams, critical infrastructure components, like municipal water treatment systems, and some commercial airplane functions. Beyond that, a company’s most valued trade secrets can now be compromised by an absent-minded employee that inadvertently leaves a mobile device on a train seat during their morning commute.
Will this improve? Yes, of course. We are still in the “Wild Wild West” of our relatively young Internet of Things world, and developers of these devices will be forced to bake responsible security and logging capabilities into new products at some point. The market will eventually demand it. In the future, you will rest assured that the serious Russian nation-state actor, as well as the bored tech genius kid living in his parent’s basement, will find it difficult to hack your toaster, BMW, garage door opener, or implanted insulin injector pump. In the meantime, keep an eye on your pot roast.